NEW231917
[bmalloc] Heap.shrinkLarge() allocates non-aligned region 
https://bugs.webkit.org/show_bug.cgi?id=231917
Summary [bmalloc] Heap.shrinkLarge() allocates non-aligned region
Basuke Suzuki
Reported 2021-10-18 16:02:12 PDT
Because the newly allocated region is not aligned well, unaligned region will be returned to LargeFree while splitAndAllocate() is called. Those regions won't match to any request to LargeFree until the neighbor region is returned to LargeFree and get merged with that. 1. Align 40k memory region A. Both start and end is aligned in 4k boundary. 2. realloc A to 36k + 1. shrinkLarge tries to split it in that size, B (36k +1) and C (4k - 1) 3. B's end is not aligned, but there's no practical issue. 4. On the other hand, C's start address is not aligned and sit in the LargeFree. It won't fit to any request because it's not aligned.
Attachments
Add attachment proposed patch, testcase, etc.
Basuke Suzuki
Comment 1 2021-10-18 17:09:42 PDT
Above description was wrong. Rewrote. Because the newly allocated region is not aligned well, unaligned region will be returned to LargeFree while splitAndAllocate() is called. Those regions won't match to any request to LargeFree until the neighbor region is returned to LargeFree and get merged with that. 1. Align 40k memory region A. Both start and end is aligned in 4k boundary. 2. realloc A to 36k + 8. shrinkLarge tries to split it in that size, B (36k +8) and C (4k - 8) 3. B's end is not aligned, but there's no practical issue. 4. On the other hand, C's start address is not aligned and sit in the LargeFree. It won't fit to any request because it's not aligned.
Radar WebKit Bug Importer
Comment 2 2021-10-25 16:03:18 PDT
<rdar://problem/84635991>
Note You need to log in before you can comment on or make changes to this bug.